From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 23 Mar 2026 13:09:36 +0000 (+0100)
Subject: 6.6-stable patches
X-Git-Tag: v6.1.167~14
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=becbc9ee624fc33ff3e11f0ccb8464463e22dd45;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	i2c-cp2615-fix-serial-string-null-deref-at-probe.patch
	i2c-cp2615-replace-deprecated-strncpy-with-strscpy.patch
---

diff --git a/queue-6.6/i2c-cp2615-fix-serial-string-null-deref-at-probe.patch b/queue-6.6/i2c-cp2615-fix-serial-string-null-deref-at-probe.patch
new file mode 100644
index 0000000000..c3d873f089
--- /dev/null
+++ b/queue-6.6/i2c-cp2615-fix-serial-string-null-deref-at-probe.patch
@@ -0,0 +1,43 @@
+From stable+bounces-227968-greg=kroah.com@vger.kernel.org Mon Mar 23 13:56:05 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 08:53:01 -0400
+Subject: i2c: cp2615: fix serial string NULL-deref at probe
+To: stable@vger.kernel.org
+Cc: "Johan Hovold" <johan@kernel.org>, "Bence Csókás" <bence98@sch.bme.hu>, "Andi Shyti" <andi.shyti@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20260323125301.1649463-2-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit aa79f996eb41e95aed85a1bd7f56bcd6a3842008 ]
+
+The cp2615 driver uses the USB device serial string as the i2c adapter
+name but does not make sure that the string exists.
+
+Verify that the device has a serial number before accessing it to avoid
+triggering a NULL-pointer dereference (e.g. with malicious devices).
+
+Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
+Cc: stable@vger.kernel.org	# 5.13
+Cc: Bence CsÃ³kÃ¡s <bence98@sch.bme.hu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Bence CsÃ³kÃ¡s <bence98@sch.bme.hu>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260309075016.25612-1-johan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-cp2615.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-cp2615.c
++++ b/drivers/i2c/busses/i2c-cp2615.c
+@@ -298,6 +298,9 @@ cp2615_i2c_probe(struct usb_interface *u
+ 	if (!adap)
+ 		return -ENOMEM;
+ 
++	if (!usbdev->serial)
++		return -EINVAL;
++
+ 	strscpy(adap->name, usbdev->serial, sizeof(adap->name));
+ 	adap->owner = THIS_MODULE;
+ 	adap->dev.parent = &usbif->dev;
diff --git a/queue-6.6/i2c-cp2615-replace-deprecated-strncpy-with-strscpy.patch b/queue-6.6/i2c-cp2615-replace-deprecated-strncpy-with-strscpy.patch
new file mode 100644
index 0000000000..64dd6d3edd
--- /dev/null
+++ b/queue-6.6/i2c-cp2615-replace-deprecated-strncpy-with-strscpy.patch
@@ -0,0 +1,53 @@
+From stable+bounces-227967-greg=kroah.com@vger.kernel.org Mon Mar 23 14:02:02 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 08:53:00 -0400
+Subject: i2c: cp2615: replace deprecated strncpy with strscpy
+To: stable@vger.kernel.org
+Cc: Justin Stitt <justinstitt@google.com>, Kees Cook <keescook@chromium.org>, Wolfram Sang <wsa@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260323125301.1649463-1-sashal@kernel.org>
+
+From: Justin Stitt <justinstitt@google.com>
+
+[ Upstream commit e2def33f9ee1b1a8cda4ec5cde69840b5708f068 ]
+
+`strncpy` is deprecated for use on NUL-terminated destination strings [1].
+
+We should prefer more robust and less ambiguous string interfaces.
+
+We expect name to be NUL-terminated based on its numerous uses with
+functions that expect NUL-terminated strings.
+
+For example in i2c-core-base.c +1533:
+| dev_dbg(&adap->dev, "adapter [%s] registered\n", adap->name);
+
+NUL-padding is not required as `adap` is already zero-alloacted with:
+| adap = devm_kzalloc(&usbif->dev, sizeof(struct i2c_adapter), GFP_KERNEL);
+
+With the above in mind, a suitable replacement is `strscpy` [2] due to
+the fact that it guarantees NUL-termination on the destination buffer
+without unnecessarily NUL-padding.
+
+Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
+Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
+Link: https://github.com/KSPP/linux/issues/90
+Signed-off-by: Justin Stitt <justinstitt@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Stable-dep-of: aa79f996eb41 ("i2c: cp2615: fix serial string NULL-deref at probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-cp2615.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-cp2615.c
++++ b/drivers/i2c/busses/i2c-cp2615.c
+@@ -298,7 +298,7 @@ cp2615_i2c_probe(struct usb_interface *u
+ 	if (!adap)
+ 		return -ENOMEM;
+ 
+-	strncpy(adap->name, usbdev->serial, sizeof(adap->name) - 1);
++	strscpy(adap->name, usbdev->serial, sizeof(adap->name));
+ 	adap->owner = THIS_MODULE;
+ 	adap->dev.parent = &usbif->dev;
+ 	adap->dev.of_node = usbif->dev.of_node;
diff --git a/queue-6.6/series b/queue-6.6/series
index 50a5091ae4..6a9384ccd3 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -555,6 +555,8 @@ i2c-fsi-fix-a-potential-leak-in-fsi_i2c_probe.patch
 i2c-pxa-defer-reset-on-armada-3700-when-recovery-is-used.patch
 x86-platform-uv-handle-deconfigured-sockets.patch
 netfilter-nft_set_pipapo-split-gc-into-unlink-and-reclaim-phase.patch
+i2c-cp2615-replace-deprecated-strncpy-with-strscpy.patch
+i2c-cp2615-fix-serial-string-null-deref-at-probe.patch
 mtd-rawnand-serialize-lock-unlock-against-other-nand.patch
 mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch
 drm-amd-display-fix-displayid-not-found-handling-in-.patch